3.2 Ensure CONNECT permissions on the 'guest' user is Revoked within all SQL Server databases

Information

Remove the right of the guest user to connect to SQL Server databases, except for master, msdb, tempdb, and, on AWS RDS instances, rdsadmin.

Rationale:

A login assumes the identity of the guest user when a login has access to SQL Server but does not have access to a database through its own account and the database has a guest user account. Revoking the CONNECT permission for the guest user will ensure that a login is not able to access database information without explicit access to do so.

Impact:

When CONNECT permission to the guest user is revoked, a SQL Server instance login must be mapped to a database user explicitly in order to have access to the database.

Solution

The following code snippet revokes CONNECT permissions from the guest user in a database. Replace <database_name> as appropriate:

USE <database_name>;
GO
REVOKE CONNECT FROM guest;

Default Value:

The guest user account is added to each new database but without CONNECT permission by default.

See Also

https://workbench.cisecurity.org/benchmarks/7201

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: MS_SQLDB

Control ID: 9e7e36bbc1388366778391df71282e31a4d0abdd4cf9da71a5cce2c13ad17749